Analysis
-
max time kernel
15s -
max time network
158s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 19:06
Static task
static1
Behavioral task
behavioral1
Sample
6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe
Resource
win10v2004-20240412-en
General
-
Target
6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe
-
Size
4.2MB
-
MD5
b05fc926901d611f28a3de5afc836293
-
SHA1
7ed6a3f9b944e21523979713166f8c632fd4e3b5
-
SHA256
6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546
-
SHA512
8c3f021d3603e3f0d09c2ffc511efbfea5499c74bf5f1d653f5662a55465b314bdc730df15e12041c9bf4b357616d9bfee35148003cb62a1beec1442f062715c
-
SSDEEP
98304:m+HT2dFOlkJa7jNZC2ePu9ILkthheCYlOaR:fzMKBrC2kuA8hntO
Malware Config
Signatures
-
Glupteba payload 19 IoCs
resource yara_rule behavioral2/memory/440-2-0x0000000005370000-0x0000000005C5B000-memory.dmp family_glupteba behavioral2/memory/440-3-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/440-51-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3084-54-0x0000000005290000-0x0000000005B7B000-memory.dmp family_glupteba behavioral2/memory/3084-64-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3084-114-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3084-208-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-235-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-246-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-254-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-258-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-262-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-266-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-270-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-274-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-278-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-282-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-286-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3220-290-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3504 netsh.exe -
resource yara_rule behavioral2/files/0x000200000002aa67-245.dat upx behavioral2/memory/2324-250-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1268-255-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/1268-263-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1180 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5016 schtasks.exe 2508 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2428 powershell.exe 2428 powershell.exe 440 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe 440 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe 1644 powershell.exe 1644 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 440 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Token: SeImpersonatePrivilege 440 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe Token: SeDebugPrivilege 1644 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 440 wrote to memory of 2428 440 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe 82 PID 440 wrote to memory of 2428 440 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe 82 PID 440 wrote to memory of 2428 440 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe 82 PID 3084 wrote to memory of 1644 3084 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe 87 PID 3084 wrote to memory of 1644 3084 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe 87 PID 3084 wrote to memory of 1644 3084 6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe"C:\Users\Admin\AppData\Local\Temp\6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe"C:\Users\Admin\AppData\Local\Temp\6270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546.exe"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:4480
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3504
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:2584
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:908
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:3220
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:960
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:5016
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:4604
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:952
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1912
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:4232
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2508
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:2324
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:2316
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:1180
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:1268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD540af493e5fff26be45943637aec77b90
SHA1a134baf231d6737f03cf9cdef538ad184e0661cb
SHA2563cfae0a3508c87e6ed25c6aace41f07963523a50a4fb49f27ff089cc37ef0e77
SHA512e6fc8f8592ebdcdeb7a434f5789c61b159c0f69f2c9431dffa28f79450009b239403d6d66d08bd467ed9555a92c921622f544dc9e0e857055bcb4451c7296d4e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5c2e7ff0e456b20888aba2a0679f060b3
SHA1a00531486c717ea97ccddf76ff53ec5234f9cabd
SHA25602fe366244dd3fe661bee6ea87ea2a50aa029afbfeefddf5c986ef9022fa9237
SHA5126faeaff0869ce7538e95c15a14aec90bb8a646d9ed3e3b41706e3277cab53e1469343ae0fa0d3a05d585868736feab0ca2bc3c2d6bc775ec220373bbe9a27c42
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f64c9904c50dbab0866dea6cdc0ce86b
SHA17a406493898c5a1cb59b8f4d236cb7466ba52c23
SHA2569a7cb461b9a88307ee5d46634b874353d66370d120be9d990a7a7d1f962d798d
SHA512ea571ee4f4eaa28e0759522ff9afdfbb4e4151f9be3edbada8faf9eb49a68a845c2d9e3cf1a41c39601f1055d87c763aea055baa5939bab80d6ed229f3ece086
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD582800552794b9a05b3505db9006705b1
SHA1000c0277b94af44e2b24bd8b94eb9d31edcf4c9c
SHA2567a63e33b5283fb164ef8419ca1a3200225c2fd9561c448cbe9385ed4d603a19d
SHA5126129ea3d2532525e8c39012b38b26bd3e91ecbc960a35a4c1aba1ad03ca778ce6c6c2c69d73d8afc72972595975246145f3005cb14f8d6217f5b15dd3c5acdcf
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD567cbd9e093392e12cbabb6cd42c51f21
SHA175431c6550efbbf6007f0c83dbdde25ad48d7fb4
SHA256c37cc7ea0e9b19f3e5d59d03d158607fd4f32bdae532a83cbaaff825e2512b89
SHA5129fab32b97a98d46c5b4ef3d51febd39dbb8d62b5054dbef59fa88e6ea5b9d8eb6333f9882dee27227c7d2c718e1edeef5bc488208e40862d3fbb33b59c9b0dae
-
Filesize
4.2MB
MD5b05fc926901d611f28a3de5afc836293
SHA17ed6a3f9b944e21523979713166f8c632fd4e3b5
SHA2566270f34ea7b05bbf4b6711a5857b7e9a9ae44fd7998aa79015d482e7de7a1546
SHA5128c3f021d3603e3f0d09c2ffc511efbfea5499c74bf5f1d653f5662a55465b314bdc730df15e12041c9bf4b357616d9bfee35148003cb62a1beec1442f062715c
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec