Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 15:40
Static task
static1
Behavioral task
behavioral1
Sample
95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe
Resource
win10v2004-20240412-en
General
-
Target
95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe
-
Size
4.2MB
-
MD5
eca19b4eb5c269b948c21aeada803d50
-
SHA1
06e9274af530b892a3270652f5098c795c27a9db
-
SHA256
95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572
-
SHA512
344dd68cecdc59d2f7d0f689287cde1b52dd9c808b30fd4a80079c8437b9df4cfe12a62792f0548887e90403debfce6c39bb1934789931bfddbc4c2c089c2df4
-
SSDEEP
98304:ez7Cg0ld9bGpeFIidtQ9zICqBAsCsR7hN5aqRYTU7+:U7NcfZtQ9LJEd3aOYT++
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral1/memory/4128-2-0x0000000005260000-0x0000000005B4B000-memory.dmp family_glupteba behavioral1/memory/4128-3-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/2652-56-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/2652-69-0x0000000005210000-0x0000000005AFB000-memory.dmp family_glupteba behavioral1/memory/4128-105-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/2652-197-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-254-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-265-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-269-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-273-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-277-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-281-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-285-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-289-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-293-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-297-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-301-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-305-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/552-309-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 940 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 552 csrss.exe 4192 injector.exe 3328 windefender.exe 3092 windefender.exe -
resource yara_rule behavioral1/files/0x0008000000023461-260.dat upx behavioral1/memory/3328-262-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/3092-267-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/3092-275-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe File created C:\Windows\rss\csrss.exe 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3408 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2516 schtasks.exe 620 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1432 powershell.exe 1432 powershell.exe 4128 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 4128 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 2460 powershell.exe 2460 powershell.exe 2460 powershell.exe 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 4760 powershell.exe 4760 powershell.exe 3620 powershell.exe 3620 powershell.exe 1352 powershell.exe 1352 powershell.exe 1424 powershell.exe 1424 powershell.exe 3108 powershell.exe 3108 powershell.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 552 csrss.exe 552 csrss.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 552 csrss.exe 552 csrss.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 552 csrss.exe 552 csrss.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe 4192 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1432 powershell.exe Token: SeDebugPrivilege 4128 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Token: SeImpersonatePrivilege 4128 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 4760 powershell.exe Token: SeDebugPrivilege 3620 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeSystemEnvironmentPrivilege 552 csrss.exe Token: SeSecurityPrivilege 3408 sc.exe Token: SeSecurityPrivilege 3408 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4128 wrote to memory of 1432 4128 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 88 PID 4128 wrote to memory of 1432 4128 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 88 PID 4128 wrote to memory of 1432 4128 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 88 PID 2652 wrote to memory of 2460 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 95 PID 2652 wrote to memory of 2460 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 95 PID 2652 wrote to memory of 2460 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 95 PID 2652 wrote to memory of 2712 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 97 PID 2652 wrote to memory of 2712 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 97 PID 2712 wrote to memory of 940 2712 cmd.exe 99 PID 2712 wrote to memory of 940 2712 cmd.exe 99 PID 2652 wrote to memory of 4760 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 100 PID 2652 wrote to memory of 4760 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 100 PID 2652 wrote to memory of 4760 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 100 PID 2652 wrote to memory of 3620 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 102 PID 2652 wrote to memory of 3620 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 102 PID 2652 wrote to memory of 3620 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 102 PID 2652 wrote to memory of 552 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 104 PID 2652 wrote to memory of 552 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 104 PID 2652 wrote to memory of 552 2652 95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe 104 PID 552 wrote to memory of 1352 552 csrss.exe 105 PID 552 wrote to memory of 1352 552 csrss.exe 105 PID 552 wrote to memory of 1352 552 csrss.exe 105 PID 552 wrote to memory of 1424 552 csrss.exe 111 PID 552 wrote to memory of 1424 552 csrss.exe 111 PID 552 wrote to memory of 1424 552 csrss.exe 111 PID 552 wrote to memory of 3108 552 csrss.exe 113 PID 552 wrote to memory of 3108 552 csrss.exe 113 PID 552 wrote to memory of 3108 552 csrss.exe 113 PID 552 wrote to memory of 4192 552 csrss.exe 115 PID 552 wrote to memory of 4192 552 csrss.exe 115 PID 3328 wrote to memory of 2560 3328 windefender.exe 121 PID 3328 wrote to memory of 2560 3328 windefender.exe 121 PID 3328 wrote to memory of 2560 3328 windefender.exe 121 PID 2560 wrote to memory of 3408 2560 cmd.exe 122 PID 2560 wrote to memory of 3408 2560 cmd.exe 122 PID 2560 wrote to memory of 3408 2560 cmd.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe"C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe"C:\Users\Admin\AppData\Local\Temp\95dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:940
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2516
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1872
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4192
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:620
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3092
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5339d73b1f03a27511d6af323a8971805
SHA131b6a37cf168eb9711713f76653b08b8cf4e86fe
SHA25612277bd8b3ebbd53a01f03c76c611670e6baed817a8724fdaddda6fc87009d96
SHA51285c4e24525c19622b03e31c9f160d26c5828ee26e2e97c39ed1856a260ec189a14e02142a19f293fdf75a9882e2401a090768f48fb76f46774e53ceebabedc69
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD52f40020435e536b5d7790b67f3c09f6a
SHA11828c76e41de28420812d0eb59e6614dd767afc3
SHA256a7715f666679e192678396abe90766aed80c6d140e28a11dd357835b0b34333f
SHA5126ca912ddba15db2a0c71f73db75fcde6907e430dd2fbb631f7cacd263bf7e69138f3c872429af99241b86bf93be47d272319d5c8ad4325d7d180b27bc614d1c0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c18a10162c4139d9b83a2d4ba51cb313
SHA1d9e8b2998db9d44f66e1194992e226238c45a65f
SHA256a841283a3a666f5325588667c48040d82d9413538b184de69010d932f1bde8ee
SHA512911bbf4014cffac548e64da88822e339a80553d7e587f6d332e45b75d012dea15b18b28a339481cf13648baaf1161e7b6dd0ae00bceeac077cc56c6866eb2828
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5076a6ca7b9862e4ef173d8e38b4f2f54
SHA1e0c2656744623b4cb3a9f7560bd873840a3bc07d
SHA25692c9a9e9a7f900437dda7a44f5fdbc0d377017c8140740164c84204b20ae4a99
SHA512a8f190cb3029cc8b49a804a7fa47f044427415b6ea7f0135e73676c6e01db4de82f36694388046c9423a1e9ebb859c3d499d7c297ebfb55176edacd569b16295
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5def1cefebd5910ddf101c8e2c5cb1720
SHA18468bbc9f43a173ef2503a9301e8a3c77573783f
SHA256d4631e891bb0f9aeedfdd9f223fa9f5dc9857d30e831f8ec0839539429522381
SHA512d9c15cf3d05d1b483821e05edb7d700f9de7cc7b3f0eb13a1f964f19b9404494cdd443b21b7732cc6215ecb94d47fa82874a2e1e98a58e8b1664ff42e96a702c
-
Filesize
4.2MB
MD5eca19b4eb5c269b948c21aeada803d50
SHA106e9274af530b892a3270652f5098c795c27a9db
SHA25695dc36b08df2699d4f5fd0d6623ea9f7d4e0dc811fe31e60f0d74df9e934e572
SHA512344dd68cecdc59d2f7d0f689287cde1b52dd9c808b30fd4a80079c8437b9df4cfe12a62792f0548887e90403debfce6c39bb1934789931bfddbc4c2c089c2df4
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec