Analysis
-
max time kernel
183s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2024, 19:07
Static task
static1
Behavioral task
behavioral1
Sample
7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe
Resource
win10v2004-20240412-en
General
-
Target
7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe
-
Size
4.2MB
-
MD5
865849b49fa70dafff6110ff8e6491cc
-
SHA1
c9d69fb29145b3ecb6ca79e37b17b43c3110869a
-
SHA256
7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0
-
SHA512
efdf89774402f91265a683178f422e66f7d315ab23166b4b1a7fd2cc8af9d10e17e2bc8f247ee7df745ae4a4654642c2981d0abce00087c32647c68cfa59ba48
-
SSDEEP
98304:m+HT2dFOlkJa7jNZC2ePu9ILkthheCYlOaq:fzMKBrC2kuA8hntF
Malware Config
Signatures
-
Glupteba payload 15 IoCs
resource yara_rule behavioral1/memory/3472-2-0x0000000005150000-0x0000000005A3B000-memory.dmp family_glupteba behavioral1/memory/3472-3-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3472-4-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3472-18-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3472-20-0x0000000005150000-0x0000000005A3B000-memory.dmp family_glupteba behavioral1/memory/3472-36-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3472-57-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3676-74-0x0000000005110000-0x00000000059FB000-memory.dmp family_glupteba behavioral1/memory/3676-75-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3472-87-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3676-102-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3676-109-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3676-124-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3676-141-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral1/memory/3676-178-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1544 netsh.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 224 powershell.exe 224 powershell.exe 224 powershell.exe 3472 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 3472 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 1092 powershell.exe 1092 powershell.exe 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 472 powershell.exe 472 powershell.exe 472 powershell.exe 3464 powershell.exe 3464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 224 powershell.exe Token: SeDebugPrivilege 3472 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Token: SeImpersonatePrivilege 3472 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 472 powershell.exe Token: SeDebugPrivilege 3464 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3472 wrote to memory of 224 3472 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 98 PID 3472 wrote to memory of 224 3472 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 98 PID 3472 wrote to memory of 224 3472 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 98 PID 3676 wrote to memory of 1092 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 111 PID 3676 wrote to memory of 1092 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 111 PID 3676 wrote to memory of 1092 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 111 PID 3676 wrote to memory of 4176 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 114 PID 3676 wrote to memory of 4176 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 114 PID 4176 wrote to memory of 1544 4176 cmd.exe 116 PID 4176 wrote to memory of 1544 4176 cmd.exe 116 PID 3676 wrote to memory of 472 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 120 PID 3676 wrote to memory of 472 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 120 PID 3676 wrote to memory of 472 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 120 PID 3676 wrote to memory of 3464 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 122 PID 3676 wrote to memory of 3464 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 122 PID 3676 wrote to memory of 3464 3676 7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"C:\Users\Admin\AppData\Local\Temp\7e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0.exe"2⤵
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1544
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵PID:3204
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:4664
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5a4982d32a3ca38343d43169532cb8d75
SHA1fc4ec5996220ccefbd4ad8e1db89715240777be3
SHA2569ab381714df549e4934fde8a44a3d85f55c8e951e01c4b5454845f901176c005
SHA512233af13709428eb883faccb55da2505d04a82b87b481a5107ea32e1e004919f2e46035a6067e86f04f796692817ff4a30c949ce2339700ba242564f19d929278
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f69305103db671231c69635575cc8bf2
SHA18cfae1ba0b4045013f60c01ce53bdf7385e9ebef
SHA256697b35215accf0a7faeb66359e6f85ba91562757320ffe82627326fe571e9bc7
SHA512683af2ef7c16ee4b7acd696cffcfb652cdf5741c478a3f13da0d61f2a2a89c46a69eb277d8097b4eb3ccf89bb1c9c399064cd32a996542e89c4b3d93e7b4cf43
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD503028d324173584ee65bdb549194084e
SHA1f32b29d0f35cd2d04d4f751eb8733631db7601b9
SHA256d4e63e404c173be47ecff6ea7580563e69fe3fc607bd81f0f423c0c11e218371
SHA5120f0f09ed37af3d4277a6e9fd3486c3228ed2b93ca3183d507c65d49e9b4c7aca6a11bd6b0ccbc0f08fe26b72b4071500e5f788a9ce1d55e7b5ece1c3c72fdc81
-
Filesize
4.2MB
MD5865849b49fa70dafff6110ff8e6491cc
SHA1c9d69fb29145b3ecb6ca79e37b17b43c3110869a
SHA2567e34b0688fed575d1949989a32638330d145062e138b0399c78ef6e2ca546fc0
SHA512efdf89774402f91265a683178f422e66f7d315ab23166b4b1a7fd2cc8af9d10e17e2bc8f247ee7df745ae4a4654642c2981d0abce00087c32647c68cfa59ba48