Analysis
-
max time kernel
16s -
max time network
148s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 19:05
Static task
static1
Behavioral task
behavioral1
Sample
02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe
Resource
win10v2004-20240412-en
General
-
Target
02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe
-
Size
4.2MB
-
MD5
f394bfa3c95dfdef8cbb45d48b25a334
-
SHA1
99778572c99591b2abff07ee5948a0b00f28272a
-
SHA256
02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966
-
SHA512
86a5ae9b368bfc074cee62d80880f82eae61552ea86af8c2d9e5f94ad2ed59a86317ad9cef95b34042463d4bd0ce19719bdc21bd117c81f3c4f509236c680e53
-
SSDEEP
98304:m+HT2dFOlkJa7jNZC2ePu9ILkthheCYlOaZ:fzMKBrC2kuA8hntG
Malware Config
Signatures
-
Glupteba payload 20 IoCs
resource yara_rule behavioral2/memory/3352-2-0x0000000005360000-0x0000000005C4B000-memory.dmp family_glupteba behavioral2/memory/3352-3-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3352-42-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/3352-43-0x0000000005360000-0x0000000005C4B000-memory.dmp family_glupteba behavioral2/memory/2604-46-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2604-126-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2604-208-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-243-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-253-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-256-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-259-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-262-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-265-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-268-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-271-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-274-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-277-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-280-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-283-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/5996-286-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2420 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 5996 csrss.exe -
resource yara_rule behavioral2/files/0x000200000002aa13-247.dat upx behavioral2/memory/3112-252-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/448-255-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/448-261-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe File created C:\Windows\rss\csrss.exe 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4592 sc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5540 2340 WerFault.exe 81 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1476 schtasks.exe 3528 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2340 powershell.exe 2340 powershell.exe 3352 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 3352 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 1604 powershell.exe 1604 powershell.exe 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 560 powershell.exe 560 powershell.exe 884 powershell.exe 884 powershell.exe 5696 powershell.exe 5696 powershell.exe 3680 powershell.exe 3680 powershell.exe 5000 powershell.exe 5000 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 3352 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Token: SeImpersonatePrivilege 3352 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 560 powershell.exe Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 5696 powershell.exe Token: SeDebugPrivilege 3680 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3352 wrote to memory of 2340 3352 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 81 PID 3352 wrote to memory of 2340 3352 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 81 PID 3352 wrote to memory of 2340 3352 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 81 PID 2604 wrote to memory of 1604 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 89 PID 2604 wrote to memory of 1604 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 89 PID 2604 wrote to memory of 1604 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 89 PID 2604 wrote to memory of 1184 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 91 PID 2604 wrote to memory of 1184 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 91 PID 1184 wrote to memory of 2420 1184 cmd.exe 93 PID 1184 wrote to memory of 2420 1184 cmd.exe 93 PID 2604 wrote to memory of 560 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 94 PID 2604 wrote to memory of 560 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 94 PID 2604 wrote to memory of 560 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 94 PID 2604 wrote to memory of 884 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 96 PID 2604 wrote to memory of 884 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 96 PID 2604 wrote to memory of 884 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 96 PID 2604 wrote to memory of 5996 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 98 PID 2604 wrote to memory of 5996 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 98 PID 2604 wrote to memory of 5996 2604 02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe 98 PID 5996 wrote to memory of 5696 5996 csrss.exe 99 PID 5996 wrote to memory of 5696 5996 csrss.exe 99 PID 5996 wrote to memory of 5696 5996 csrss.exe 99 PID 5996 wrote to memory of 3680 5996 csrss.exe 105 PID 5996 wrote to memory of 3680 5996 csrss.exe 105 PID 5996 wrote to memory of 3680 5996 csrss.exe 105 PID 5996 wrote to memory of 5000 5996 csrss.exe 107 PID 5996 wrote to memory of 5000 5996 csrss.exe 107 PID 5996 wrote to memory of 5000 5996 csrss.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe"C:\Users\Admin\AppData\Local\Temp\02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 24603⤵
- Program crash
PID:5540
-
-
-
C:\Users\Admin\AppData\Local\Temp\02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe"C:\Users\Admin\AppData\Local\Temp\02edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:2420
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5696
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:1476
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1936
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵PID:2072
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:3528
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵PID:3112
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:2052
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
PID:4592
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 2340 -ip 23401⤵PID:1568
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e42b31d60aefc6bdf57ba6f05a5eec69
SHA1dad2ab9fc886d3aa68e25e97d4654e313b42678b
SHA2562d451ef092712767f4b32dee788bdd2b358b3f787f0a47704655e8f49d6afb00
SHA512041c5139eb43eef1e1b24afb710713b97ad0a8b2fcb184427ac96b0847887baad8e9d1b7396a2554a9514dd20c9ae0172cef8232e8dc8759f1008585ef77e2ff
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a12bba622324e5a5ed7887b8f23b7d5a
SHA18a23c9fc33e0a93cfd723699c843984fcd6f44b3
SHA256ebbc9aae1d1f5afcb7f24becd03ecff37e1a1c1ac580201328bbd3fd3bf20d9a
SHA51202efde8b3e73b3caff973f23f576ac837fdeb047c0e7da0b7b98ac2d83f9610a7124144bd34590fa0cc604b2e70778793acd61dbcc3f9dbb1e3d84198904cc36
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD54028262a51578c0ff3adab5c488909cc
SHA1dca317937116c72e72d83a58d8cc28ebd233f83b
SHA256a6b9a0396c863b8fc1842d5adde5e4307e2ca850d090db82f8d199e3fd8151b5
SHA512e7bbc343ffc0b560efbb374acd068f14d7ce4f4ce67cf387874afaa90bbf011af9347151745cb540302e8144ef6e7ea3eb3d42deca98a9e6923d3e9c606dcab3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD594fec86994882dc39c0bd80c07724913
SHA164b3bb5c455364479009c80287092047a17a233a
SHA256a53d82572dde9c4c690e25fe76dfb32d6dc08fb28f444f78b75c8c6337d8f8b5
SHA512ca06659482810fc47729fe8244abfeac25e7ac6ee435a9704f7fe29b2fcb99a7a8104184f5fa6b688b1f16593c41f7127fce9df868f4b908c25ace95ce3e2c1a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5b8a331e07f324a1abd08e562fd82e68e
SHA101bf803d82b894b463a393843a57d0635feffc70
SHA25687dbd7e3fbb74516f1d37310dfb4daa28f006109b949ec63f773b8862f4b3512
SHA512ffe84a63022ac6e9e33541151e6f2391cc0d10deea2609d1f776b18a94182196287401bc0b1c7ef5a17b119d8f7358f0372c98cfaca705f7b8b4800d4a2d8201
-
Filesize
4.2MB
MD5f394bfa3c95dfdef8cbb45d48b25a334
SHA199778572c99591b2abff07ee5948a0b00f28272a
SHA25602edb28b7025dff02c9fcaaca82627dd71c09f9fde478d9c82359d75afd79966
SHA51286a5ae9b368bfc074cee62d80880f82eae61552ea86af8c2d9e5f94ad2ed59a86317ad9cef95b34042463d4bd0ce19719bdc21bd117c81f3c4f509236c680e53
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec