Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 15:53
Static task
static1
Behavioral task
behavioral1
Sample
554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe
Resource
win10v2004-20240412-en
General
-
Target
554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe
-
Size
4.2MB
-
MD5
3fe4b0b8dd103c35ae252f01d81c91ea
-
SHA1
59181f7ecebf622327d782cc7bf9722b5fe04324
-
SHA256
554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16
-
SHA512
0678814f70b1a7b8181ce8f74e42d7779d8e846feb4d222f679d3443fb77abd1e468d85b31621c38479336b457aef3d4837ac7880c26fd0549a93b389b878fb6
-
SSDEEP
98304:mz7Cg0ld9bGpeFIidtQ9zICqBAsCsR7hN5aqRYTU7U:M7NcfZtQ9LJEd3aOYT+U
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral2/memory/4656-2-0x0000000005360000-0x0000000005C4B000-memory.dmp family_glupteba behavioral2/memory/4656-3-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/3108-54-0x0000000005220000-0x0000000005B0B000-memory.dmp family_glupteba behavioral2/memory/3108-55-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/4656-78-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/3108-147-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-240-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-250-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-253-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-256-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-259-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-262-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-265-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-268-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-271-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-273-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-277-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-280-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral2/memory/5016-283-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2776 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 5016 csrss.exe 3784 injector.exe 5012 windefender.exe 3472 windefender.exe -
resource yara_rule behavioral2/files/0x000200000002a9e4-244.dat upx behavioral2/memory/5012-249-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3472-252-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/3472-258-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe File created C:\Windows\rss\csrss.exe 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3232 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1352 schtasks.exe 664 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1184 powershell.exe 1184 powershell.exe 4656 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 4656 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 3404 powershell.exe 3404 powershell.exe 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 4404 powershell.exe 4404 powershell.exe 1172 powershell.exe 1172 powershell.exe 2732 powershell.exe 2732 powershell.exe 2412 powershell.exe 2412 powershell.exe 1184 powershell.exe 1184 powershell.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 5016 csrss.exe 5016 csrss.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 5016 csrss.exe 5016 csrss.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 5016 csrss.exe 5016 csrss.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe 3784 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 4656 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Token: SeImpersonatePrivilege 4656 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe Token: SeDebugPrivilege 3404 powershell.exe Token: SeDebugPrivilege 4404 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 1184 powershell.exe Token: SeSystemEnvironmentPrivilege 5016 csrss.exe Token: SeSecurityPrivilege 3232 sc.exe Token: SeSecurityPrivilege 3232 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4656 wrote to memory of 1184 4656 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 81 PID 4656 wrote to memory of 1184 4656 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 81 PID 4656 wrote to memory of 1184 4656 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 81 PID 3108 wrote to memory of 3404 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 86 PID 3108 wrote to memory of 3404 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 86 PID 3108 wrote to memory of 3404 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 86 PID 3108 wrote to memory of 2524 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 88 PID 3108 wrote to memory of 2524 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 88 PID 2524 wrote to memory of 2776 2524 cmd.exe 90 PID 2524 wrote to memory of 2776 2524 cmd.exe 90 PID 3108 wrote to memory of 4404 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 91 PID 3108 wrote to memory of 4404 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 91 PID 3108 wrote to memory of 4404 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 91 PID 3108 wrote to memory of 1172 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 93 PID 3108 wrote to memory of 1172 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 93 PID 3108 wrote to memory of 1172 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 93 PID 3108 wrote to memory of 5016 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 95 PID 3108 wrote to memory of 5016 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 95 PID 3108 wrote to memory of 5016 3108 554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe 95 PID 5016 wrote to memory of 2732 5016 csrss.exe 96 PID 5016 wrote to memory of 2732 5016 csrss.exe 96 PID 5016 wrote to memory of 2732 5016 csrss.exe 96 PID 5016 wrote to memory of 2412 5016 csrss.exe 102 PID 5016 wrote to memory of 2412 5016 csrss.exe 102 PID 5016 wrote to memory of 2412 5016 csrss.exe 102 PID 5016 wrote to memory of 1184 5016 csrss.exe 104 PID 5016 wrote to memory of 1184 5016 csrss.exe 104 PID 5016 wrote to memory of 1184 5016 csrss.exe 104 PID 5016 wrote to memory of 3784 5016 csrss.exe 106 PID 5016 wrote to memory of 3784 5016 csrss.exe 106 PID 5012 wrote to memory of 556 5012 windefender.exe 112 PID 5012 wrote to memory of 556 5012 windefender.exe 112 PID 5012 wrote to memory of 556 5012 windefender.exe 112 PID 556 wrote to memory of 3232 556 cmd.exe 113 PID 556 wrote to memory of 3232 556 cmd.exe 113 PID 556 wrote to memory of 3232 556 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe"C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe"C:\Users\Admin\AppData\Local\Temp\554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3404
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2776
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:664
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2740
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3784
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1352
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3472
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD59f9da3768726b79f60e3f4ec18a6250c
SHA1090f9924b51ea203a59b4d41f5638ffcda17c991
SHA2563d8787fee1469a631ebd0a4ad44ee7fc6ca684a669b8f5373e0792d5d9fd6ce7
SHA5127f068733668a9c0956978de6a1cf6998ec10bc700ea656391d27d1e6645b72311230e728358c3792f53cbc908686b5762b8689f3f9975e9c2b56a48647bbbcb4
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5774bd37fd8d85aca1b6d92305adbc023
SHA1689414c2fb61d7c84d67b8ddff78508e999e4640
SHA2564a3bd50e2b7201cb5c2d681d85e8da92e47dde7ef29ed82f445d95a65ddeefd0
SHA5122a826d8086b2848c1fc967020b8fa14e5317b66c5aae184a58a345dc6de9def448c9a5b92a8eeabe7cd1074dca2dcd859e70e8332210956c1377535530eb2acb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD55f2cba67257c58126a1884a25301c7af
SHA106d11611cb8d87cf0f8dc844a60a0b2914dfca1f
SHA256f1dc744b36dda45466d7f456aa783961c7eaae1f69879399af24968c36d72de7
SHA51290acb232d7e0216cdbe8afdb8b9cb8e78e05da6962bf180728b7c4db6d07ead1dcbffdb87be9f6d378e770948828c21c26501ac8d7d3c4f75a1c3337d6cf53a2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b0ce59de354af48a7acd075370e8595f
SHA1df4dd579c8ab4c8f27f0f9303b9fbf62e3935de0
SHA256fe88223be89d17539810636301555a1446007ebac5f95a044ce8631126874bd7
SHA512dfd7cc45a03dcb1c288366b0bacb341febdf9b84071b40d3d8ba39cbf1cc5d723aa5c48513814ca6d6331d927d21bbb348b2c813d23ea8fd0040ac2db71de292
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD569a4c689648a62ed8e1477252a1fb6d6
SHA1dc021eeada8f1bf9f06ba8fa5b04ef51c69d28c8
SHA2567293ebec92561905e26965b55c0b6a432925706fa8d898c30c9cde1e8fb4780e
SHA512a0632c2925781159e43e9e92e7a2d748882582683435285710b77ab61acd9e2f686483db2ab445530e452b4854194353db89a0a6b2dba6840b08f71365af0d97
-
Filesize
4.2MB
MD53fe4b0b8dd103c35ae252f01d81c91ea
SHA159181f7ecebf622327d782cc7bf9722b5fe04324
SHA256554f3c1bb924f0cd40397888ee156131091d7cd8d60732ee517ee0ca9ab6cb16
SHA5120678814f70b1a7b8181ce8f74e42d7779d8e846feb4d222f679d3443fb77abd1e468d85b31621c38479336b457aef3d4837ac7880c26fd0549a93b389b878fb6
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec