Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/04/2024, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe
Resource
win10v2004-20240412-en
General
-
Target
6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe
-
Size
4.2MB
-
MD5
8fd2b4ce721563b89d313ec0d5283d62
-
SHA1
51d31a9e5aec6ff42c2bd0ffc041b9b170fef505
-
SHA256
6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027
-
SHA512
6421db81816f265452625e3b00ab368b24e4d9c8a809354df2101b08b727b12c2e63544ddf4f577732bca23a32c2a332814c7a51277df7eaa4e247182c189396
-
SSDEEP
98304:u+HT2dFOlkJa7jNZC2ePu9ILkthheCYlOaX:3zMKBrC2kuA8hntM
Malware Config
Signatures
-
Glupteba payload 21 IoCs
resource yara_rule behavioral2/memory/1400-2-0x0000000005350000-0x0000000005C3B000-memory.dmp family_glupteba behavioral2/memory/1400-3-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1400-51-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1400-53-0x0000000005350000-0x0000000005C3B000-memory.dmp family_glupteba behavioral2/memory/1040-55-0x0000000005210000-0x0000000005AFB000-memory.dmp family_glupteba behavioral2/memory/1040-56-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/1040-114-0x0000000004E10000-0x000000000520B000-memory.dmp family_glupteba behavioral2/memory/1040-209-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-246-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-256-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-259-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-262-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-265-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-268-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-271-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-274-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-277-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-280-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-283-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-286-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba behavioral2/memory/2820-289-0x0000000000400000-0x000000000310E000-memory.dmp family_glupteba -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1892 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 2820 csrss.exe 2892 injector.exe 4496 windefender.exe 2124 windefender.exe -
resource yara_rule behavioral2/files/0x000200000002aa13-250.dat upx behavioral2/memory/4496-254-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2124-258-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/2124-264-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe File created C:\Windows\rss\csrss.exe 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 228 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2412 schtasks.exe 4952 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2892 = "Sudan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-491 = "India Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4996 powershell.exe 4996 powershell.exe 1400 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 1400 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 3932 powershell.exe 3932 powershell.exe 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 3024 powershell.exe 3024 powershell.exe 3388 powershell.exe 3388 powershell.exe 4908 powershell.exe 4908 powershell.exe 3184 powershell.exe 3184 powershell.exe 4344 powershell.exe 4344 powershell.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2820 csrss.exe 2820 csrss.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2820 csrss.exe 2820 csrss.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2820 csrss.exe 2820 csrss.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe 2892 injector.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4996 powershell.exe Token: SeDebugPrivilege 1400 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Token: SeImpersonatePrivilege 1400 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe Token: SeDebugPrivilege 3932 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3388 powershell.exe Token: SeDebugPrivilege 4908 powershell.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeDebugPrivilege 4344 powershell.exe Token: SeSystemEnvironmentPrivilege 2820 csrss.exe Token: SeSecurityPrivilege 228 sc.exe Token: SeSecurityPrivilege 228 sc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1400 wrote to memory of 4996 1400 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 81 PID 1400 wrote to memory of 4996 1400 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 81 PID 1400 wrote to memory of 4996 1400 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 81 PID 1040 wrote to memory of 3932 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 86 PID 1040 wrote to memory of 3932 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 86 PID 1040 wrote to memory of 3932 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 86 PID 1040 wrote to memory of 2944 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 88 PID 1040 wrote to memory of 2944 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 88 PID 2944 wrote to memory of 1892 2944 cmd.exe 90 PID 2944 wrote to memory of 1892 2944 cmd.exe 90 PID 1040 wrote to memory of 3024 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 91 PID 1040 wrote to memory of 3024 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 91 PID 1040 wrote to memory of 3024 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 91 PID 1040 wrote to memory of 3388 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 93 PID 1040 wrote to memory of 3388 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 93 PID 1040 wrote to memory of 3388 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 93 PID 1040 wrote to memory of 2820 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 95 PID 1040 wrote to memory of 2820 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 95 PID 1040 wrote to memory of 2820 1040 6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe 95 PID 2820 wrote to memory of 4908 2820 csrss.exe 96 PID 2820 wrote to memory of 4908 2820 csrss.exe 96 PID 2820 wrote to memory of 4908 2820 csrss.exe 96 PID 2820 wrote to memory of 3184 2820 csrss.exe 102 PID 2820 wrote to memory of 3184 2820 csrss.exe 102 PID 2820 wrote to memory of 3184 2820 csrss.exe 102 PID 2820 wrote to memory of 4344 2820 csrss.exe 104 PID 2820 wrote to memory of 4344 2820 csrss.exe 104 PID 2820 wrote to memory of 4344 2820 csrss.exe 104 PID 2820 wrote to memory of 2892 2820 csrss.exe 106 PID 2820 wrote to memory of 2892 2820 csrss.exe 106 PID 4496 wrote to memory of 1244 4496 windefender.exe 112 PID 4496 wrote to memory of 1244 4496 windefender.exe 112 PID 4496 wrote to memory of 1244 4496 windefender.exe 112 PID 1244 wrote to memory of 228 1244 cmd.exe 113 PID 1244 wrote to memory of 228 1244 cmd.exe 113 PID 1244 wrote to memory of 228 1244 cmd.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe"C:\Users\Admin\AppData\Local\Temp\6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe"C:\Users\Admin\AppData\Local\Temp\6743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:1892
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:2412
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:1580
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
PID:4952
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
-
-
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2124
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5e0560f8793eb201afe1617efd5142242
SHA1e6fc96b1d9416fb91ab06a76ce39b7b292d5abc6
SHA2561a6146e31cf1354decb647ab85a410dc305f17833f3a52c3f9c4635e3bde065f
SHA51299b27f145cecde409a08dc5b1a6facea249b687f7c002d76d4e768284f85c0c9bb486c457b7656dc0e4c3e381961e6f854e7281cdd64c18d102d624fa43c7d67
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5ac00a67fc09f23547abf75ff24cbc6ad
SHA1325213be2291b9fa6eebdf667668169c963b3594
SHA25676b1d70310c46273299b09f965fa5945e39d3f8f523e477a37dc9ec82e341a17
SHA512a5f79f66a7c85580c56ff3f00aaaac9748139afed5e272ff3877f155eeb99114b3851e7bf4e0d14659f3ee096128639406c27f38daf56116ba994ef00469fd2c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD508500905c885297f05d5b6d5cbbe9b79
SHA1fcf6b64c3ca88f2676ac1c0e61a9c11a69e69071
SHA256125b0e9283d9c6dc0346eed832374c9734a71dbacd3e5408a9ccf4cc884942a7
SHA512a0804bd6304a907e974a4c671a2306886c3c9eb42e62dc0412fb03af0446339e3ca39da44ba213ff0e7cc163a259efde305437b87faecc99f6b30a1ebc6e2ba1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5f2981ba7e048fcf789e57feeb62fdbf5
SHA1d16ac7dc81e1b2f5ac5771b3e39e5a4a9972d7d4
SHA25642b60d3a293d1f7ba8d3002b0608a87b30fb99d5342411f61fda06dca305c477
SHA51277f4bdd857f8d32efa161d534c936df2a4a17c432bc5ebb7ea40371bbc9b89c0fd7cc1d7135fce92f0a2bb1db236bc18d2d4a724192482ea5abc01887d7b702b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize19KB
MD5405f34f6016219a49a6d22b960c97669
SHA1a05de10585e7b5dbe3b2f5b1bd1085e063f6561f
SHA2563f70e5e99c119b98c3bab523bea9a209cdc8f57660e4265079d21b7c046b4f51
SHA512568a08b98f0485ebd42af4df4de79254f069ad9b23d90d80d4f71d29beebda057befa1bfc64278ac8fe159eb92adb431ceb9600468a161d9607bd071015d632c
-
Filesize
4.2MB
MD58fd2b4ce721563b89d313ec0d5283d62
SHA151d31a9e5aec6ff42c2bd0ffc041b9b170fef505
SHA2566743985174a766c5e8eb2ff26f09308e0d7783710e74d20504e7c533a1f8e027
SHA5126421db81816f265452625e3b00ab368b24e4d9c8a809354df2101b08b727b12c2e63544ddf4f577732bca23a32c2a332814c7a51277df7eaa4e247182c189396
-
Filesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec