Analysis
-
max time kernel
8s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe
Resource
win10v2004-20240412-en
General
-
Target
d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe
-
Size
4.2MB
-
MD5
a5b310be46085d15ecb18f1b8df7d028
-
SHA1
8546ef9d9204363ad9183869d4569a2f46df91c1
-
SHA256
d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048
-
SHA512
024b18608765a167e362a694186da8e0bd33f3c5517342f6bb4ee77120c93f24376ed7ed8f48f5f3c0975b70693f40ad822d40640787c52317aa4620422915a4
-
SSDEEP
98304:Dz8muvG4/7oo98xMphVIqHAQJ7eNfIWzS5gC960Xfu6ti9vBy29d:DzvuvT/7/zVIWAQdeNfIWzX0W6tA42X
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral2/memory/2820-2-0x0000000005370000-0x0000000005C5B000-memory.dmp family_glupteba behavioral2/memory/2820-3-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2928-63-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-66-0x0000000005370000-0x0000000005C5B000-memory.dmp family_glupteba behavioral2/memory/2820-80-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2928-206-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-241-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-252-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-256-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-260-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-264-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-268-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-272-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-276-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-280-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-284-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-288-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-292-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3076-296-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2656 netsh.exe -
resource yara_rule behavioral2/files/0x000200000002aa0c-246.dat upx behavioral2/memory/1916-249-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1464-254-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1464-262-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2804 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 852 schtasks.exe 5028 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1448 powershell.exe 1448 powershell.exe 2820 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2820 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2516 powershell.exe 2516 powershell.exe 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 4028 powershell.exe 4028 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 2820 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Token: SeImpersonatePrivilege 2820 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 4028 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2820 wrote to memory of 1448 2820 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 81 PID 2820 wrote to memory of 1448 2820 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 81 PID 2820 wrote to memory of 1448 2820 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 81 PID 2928 wrote to memory of 2516 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 86 PID 2928 wrote to memory of 2516 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 86 PID 2928 wrote to memory of 2516 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 86 PID 2928 wrote to memory of 1500 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 88 PID 2928 wrote to memory of 1500 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 88 PID 1500 wrote to memory of 2656 1500 cmd.exe 90 PID 1500 wrote to memory of 2656 1500 cmd.exe 90 PID 2928 wrote to memory of 4028 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 91 PID 2928 wrote to memory of 4028 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 91 PID 2928 wrote to memory of 4028 2928 d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe"C:\Users\Admin\AppData\Local\Temp\d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe"C:\Users\Admin\AppData\Local\Temp\d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048.exe"2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2656
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:4988
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:3076
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4844
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:852
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2992
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4792
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1440
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:3468
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:5028
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:1916
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4968
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:2804
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:1464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5992ca2a641c1b7f6464ee0f21f29dd22
SHA1c2d19f75ac03e72902e9204e42aa2e62794d0c1e
SHA25640ec4413d877a6a334af91940166ef827dcd8a9a09b8f2374eaf8547c05c95c2
SHA51214a2c3d45bf9485989b0fba0b6a85bab3b08f5ac16d58133fe91250f0ec044579f563a84f9586924d56a5d0a38a9cb3eb5c2349bd77813e5b0543ef5a0da07e8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5abab6ee2ae69634eaa641f26380b8601
SHA16e99e5975ef585d83ca51ae881fc50eb0fc82f09
SHA256148594c9d84732a7f62f5406612bae1bb1ad917aef278aa83c4e73c26a660e1a
SHA512e5c43680c46de90b5ab1516867bf1559730a86b9496c426ae062c67c213ea0da0c7b4a27c174203de2a22266aecfd135a919d62eb3b100d11e40925accc61d66
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD537a5c5c3033b690ac9dab3485eed4991
SHA15cde3de819df729e0a1ee58e1028b2111aab84d1
SHA2565772da181623e25f49dd9ae72f638c354b843de05e8f0c03aec867759cd8dea4
SHA512e3dd49ce7d24751784f1db3c48489611610e09eb096d30d96d4750e164878e0c21af3dcf6841763f463a4608e394405022f333f8c835aa059e7669ef50ddb217
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD562ce9b1669ff5d0eb1489de4cf2dfe03
SHA13e96c85343c6a06f7f2bf698192814531af1f548
SHA256f93b7806b58a59a97318bb84ef6bb0f90c5febbf62c04355e6aeda34795a92f0
SHA512ace475bef9db02925f131d0f00558df0e4836d2369ce9e6f6202466277b1e0834de76fd81288c45fa6a198131af5a3c00adb7c623a758c89d6091d8d9e4ffd94
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51ec6e9120f7125f8f93445be3c504c31
SHA1378eea5826829087f299eed4951885bb28375585
SHA2564bbe3fce0364777cec0173f580c002f48e6776059e30c0d9f4f8c45912b4511c
SHA512b50583916da7ab36a02e3d474f29f04129fb5d8c1ab48e394e581486ac2d6e8d415a59c407fd200696692ba07b0aac58d74de0b44cb2de6ef3be43bfbb052d18
-
Filesize
4.2MB
MD5a5b310be46085d15ecb18f1b8df7d028
SHA18546ef9d9204363ad9183869d4569a2f46df91c1
SHA256d9e974768ed6a1bed58ee8c29133b4fea7f98e9818be6a6dc0a997f25a0e2048
SHA512024b18608765a167e362a694186da8e0bd33f3c5517342f6bb4ee77120c93f24376ed7ed8f48f5f3c0975b70693f40ad822d40640787c52317aa4620422915a4
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec