Analysis
-
max time kernel
4s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe
Resource
win10v2004-20240412-en
General
-
Target
29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe
-
Size
4.2MB
-
MD5
12c28f325f6710cebe89796872aba437
-
SHA1
992472d2b130f9a0a419b5982e11f62dda05c79c
-
SHA256
29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2
-
SHA512
95d68893354c01f4743b4989103c0d0f56949bdc8e7d58a59be4e19850a68a93c7067c6c12d9cd61ad89a250ce51f6217179bf79acb342d4c7c587d28fb41a0e
-
SSDEEP
98304:Dz8muvG4/7oo98xMphVIqHAQJ7eNfIWzS5gC960Xfu6ti9vBy29j:DzvuvT/7/zVIWAQdeNfIWzX0W6tA42l
Malware Config
Signatures
-
Glupteba payload 20 IoCs
resource yara_rule behavioral2/memory/8-2-0x0000000005220000-0x0000000005B0B000-memory.dmp family_glupteba behavioral2/memory/8-3-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/8-51-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/8-52-0x0000000005220000-0x0000000005B0B000-memory.dmp family_glupteba behavioral2/memory/1520-55-0x0000000005220000-0x0000000005B0B000-memory.dmp family_glupteba behavioral2/memory/1520-56-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1520-113-0x0000000004E10000-0x0000000005215000-memory.dmp family_glupteba behavioral2/memory/1520-149-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-248-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-257-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-259-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-261-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-263-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-265-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-267-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-269-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-271-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-273-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-275-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1868-277-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3892 netsh.exe -
resource yara_rule behavioral2/files/0x000200000002a9d8-252.dat upx behavioral2/memory/3340-255-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1812-258-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1812-262-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1120 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3808 schtasks.exe 1456 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2652 powershell.exe 2652 powershell.exe 8 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe 8 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 8 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe Token: SeImpersonatePrivilege 8 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 8 wrote to memory of 2652 8 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe 81 PID 8 wrote to memory of 2652 8 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe 81 PID 8 wrote to memory of 2652 8 29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe"C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe"C:\Users\Admin\AppData\Local\Temp\29daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2.exe"2⤵
- Modifies data under HKEY_USERS
PID:1520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:2872
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4884
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3892
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:4604
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:2272
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:1868
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:688
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3808
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4796
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:3020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4600
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:3096
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1456
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:3340
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:4508
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:1120
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:1812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ec42b5c78e8cdf76a145ff640522548b
SHA12f5997d20cdcaaa75e0ae4bdd738ae481168a6c5
SHA2562ed0d5610e74f5820b6296690fcf3ec0df1a5ddb1a8463f1041cc36b1b7a273c
SHA512710b3c5af8493d189ac6013bfcf27fcc0497125b50d409f208436d428a0f898fb490256b7ad84ada9ca577d2ebc9d7edf6dd935b1f5a3a226459573d1096f7a8
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f89931f572de7f7d918aa55f16ebcba8
SHA1ed51ba725dcc0bd5b1034bacfc5022e5e591ce6a
SHA25657b37f39749daeb5f738b7a4ac6b86e074561b04d51fbc4e787c6fae1ce323a4
SHA51274ac208cc2b4cf02242dca4f5821dd0db790ed2244552519c2d2c926fe3ba4564f26853a77a9757911b9efe7b9d17c198d931a9cb65eae9414689f00e83c4fbb
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f22ccf55ed36e223539d909a2eeee0a5
SHA1d38796b61f927ba986381ff03df2e1b238125a33
SHA256cfcc97e5e683c80630a3f74d2c26e649aee2f414f158921ca0350298c78a5b9a
SHA512a8b16adc704a4e191482b24bc0dcc4c418912c5d227f027ae5625011a66a9b73b2beafb56060c617cc09679cce78a809b99189d496b8ccb96476bf324cec5f2c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD51032e327a0c33321e1ca13e43dba3491
SHA13afcd5cd5213332e33b7d02b9ee537b6b5b7bfbc
SHA256995e0246f313d05f26c0171142d0c5d8bf41dd299ca0ba2496db21d184f3ed66
SHA512aa0b12f493875e1dccb440955566f7f29fdb0a0ffd2074bede81be90b4139782332f68aef415926ab98510a0224125815d45f65216d00dba2aefcda316609ed2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5495d2bf1f56e3cbd50b68565c1711d97
SHA17ddca8d09b67e862d1aad62f6676b102a0b5cb48
SHA256e7ee05df3ab63f7f297eaaf54cd35ec01555110c862530bbc64ff067e303c801
SHA5124e3b86392c4a670248808b79f49faa78b4eac921febadacff570c8768ff0c85140d36655a0616e7537ae680b37eb86b0405926ffef610ea7caef754e437c5a69
-
Filesize
4.2MB
MD512c28f325f6710cebe89796872aba437
SHA1992472d2b130f9a0a419b5982e11f62dda05c79c
SHA25629daf807728f297a2521a2af541723a1ace5379af1f13eeb3c8803403783d3a2
SHA51295d68893354c01f4743b4989103c0d0f56949bdc8e7d58a59be4e19850a68a93c7067c6c12d9cd61ad89a250ce51f6217179bf79acb342d4c7c587d28fb41a0e
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec